US7370111B2 - System, protocol and related methods for providing secure manageability - Google Patents
System, protocol and related methods for providing secure manageability Download PDFInfo
- Publication number
- US7370111B2 US7370111B2 US10/113,812 US11381202A US7370111B2 US 7370111 B2 US7370111 B2 US 7370111B2 US 11381202 A US11381202 A US 11381202A US 7370111 B2 US7370111 B2 US 7370111B2
- Authority
- US
- United States
- Prior art keywords
- authentication
- network interface
- value
- remote
- enhanced network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
- H04L67/125—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
Definitions
- the present invention generally relates to the field of data networks and, more particularly, to a system, protocol and related methods for providing secure manageability.
- Networking of computing devices is known. Examples of such data networks include local area networks (LANS), wide area networks (WANS), global networks (Internet), the networking of telecommunications devices (i.e., cellular networks, PCS networks, wireline telephony networks), and the like. Many of these networks comprise a variety of client computers with disparate processor architectures and Operating Systems (OS) that rely on architecture dependent versions of standardized network communication protocols such as, for example the well-known Transmission Control Protocol/Internet Protocol (TCP/IP), Internetwork Packet exchange (IPX), User Datagram Protocol/Internet Protocol (UDP/IP), or other suitable networking protocols (cumulatively referred to as the Internet communication suite) to enable these otherwise disparate computing architectures to interact with one another.
- TCP/IP Transmission Control Protocol/Internet Protocol
- IPX Internetwork Packet exchange
- UDP/IP User Datagram Protocol/Internet Protocol
- Manageability in this instance, is the ability to remotely control and manage at least a subset of the hardware functions of a remote computing device (e.g., a client computer).
- An example of one such inherent limitation in conventional management tools is the fact that they rely on an operational operating system (OS) at the remote computing device. That is, many of such conventional management tools require an operating client-side application, executing atop the OS of the computing device. If the OS hangs so, too, does the ability to access and utilize the resources of the client-side component of the conventional network management tool.
- OS operational operating system
- IPSec Secured Internet Protocol
- IETF Internet Engineering Task Force
- RRC IETF Request for Comment
- One element of the IPSec security information is an anti-replay value, often implemented as a sequence number of a packet within a communication stream, to repel replay attacks on the secure communication by a third-party.
- the anti-replay value changes on a per-packet basis.
- Conventional implementations often require each of the communicating entities to continuously store updated version(s) of the anti-replay value upon receipt of each packet.
- the updated sequence value is often stored on a hard-drive of the client and, in this regard, typically requires an functional operating system in order to access the last sequence number and recover from the initialization event.
- a functional operating system is not always available after such an initialization event.
- FIG. 1 is a block diagram of an example network incorporating the teachings of the present invention, according to one example implementation of the present invention
- FIG. 2 is a block diagram of an example enhanced network interface incorporating a secure communications interface, in accordance with one aspect of the present invention
- FIG. 3 is a graphical illustration of an example data structure used in accordance with the secure communications interface, according to one example implementation of the invention.
- FIG. 4 is a block diagram of an example manageability services architecture, according to one aspect of the present invention.
- FIG. 5 is a graphical illustration of an example data structure used in accordance with the manageability services for maintaining security information, according to one example embodiment of the present invention
- FIG. 6 is a graphical illustration of an example datagram used in accordance with the teachings of the present invention.
- FIG. 7 is a flow chart of an example method for implementing secure manageability communications, in accordance with the teachings of the present invention.
- FIG. 8 is an example communication flow diagram for establishing an anti-replay value in accordance with the teachings of the present invention.
- FIG. 9 is a block diagram of an example computing device suitable for implementing one or both of the enhanced network interface and/or the manageability services of the present invention.
- FIG. 10 is a block diagram of an example storage medium comprising a plurality of executable instructions which, when executed, cause an accessing machine to implement one or more aspects of the innovative communication agent of the present invention, in accordance with an alternate embodiment of the present invention.
- the present invention is generally directed to a system, protocol and related methods for providing secure manageability of a computing device over a data network.
- an enhanced network interface (ENI) which employs an innovative authentication protocol with anti-replay features, to authenticate a remote device upon detecting an initialization event in a host device, facilitating recovery and re-establishment of secure communications with an authenticated remote device (e.g., manageability server).
- an authenticated remote device e.g., manageability server
- the protocol enabled by the enhanced network interface facilitates such authentication of a manageability server, for example, even in the absence of a functional operating system executing on the host device.
- use of the innovative authentication protocol enables the ENI to authenticate and establish secure communications with a remote network device even in the absence of a functional operating system executing on the host device.
- the innovative protocol used to authenticate a remote network device is colloquially referred to as the Anti-Replay Exchange (ARE) protocol.
- ARE Anti-Replay Exchange
- the ARE is selectively employed between an ENI and a remote network device (e.g., manageability server) to authenticate the remote device to the ENI.
- a remote network device e.g., manageability server
- secure communications e.g., manageability communications
- the ARE introduced herein is one layer of a multi-layer communication protocol employed to facilitate secure, manageability communications between authenticated devices.
- the enhanced network interface is typically implemented in a computing device to be managed (or, client computing device), while the manageability services are implemented in a computing device providing the management interface (or, manageability computing device). It should be appreciated from the discussion to follow that either computing device may well be beneficially endowed with one or both of the ENI and/or the manageability services and may, in this regard, be a client computing device at one time and a manageability computing device at another.
- FIG. 1 provides a block diagram of an example network (e.g., a data network) incorporating the teachings of the present invention.
- network 100 is depicted comprising a computing device 102 coupled to another (remote) computing device 104 through one or more networking devices comprising a networking architecture 106 .
- computing device 102 includes an enhanced network interface (ENI) 108 endowed with a security agent 110 to authenticate a remote computing device 104 (e.g., a manageability server), and secure at least manageability communications with the manageability services 112 executing on the remote computing device 104 .
- a secure manageability system is established comprising a computing device ( 104 ) endowed with an innovative ENI 108 coupled with the manageability service(s) 112 of a remote computing device 104 through a data network 106 .
- the security agent 110 of the ENI is selectively invoked upon receipt of an initialization event of the client computing device 102 (“client”).
- security agent 110 authenticates a remote computing device as a manageability server in order to establish a secure communication link with the remote manageability computing device to secure at least manageability communications between the ENI 108 and the manageability services 112 of the computing device(s), e.g., 104 .
- an initialization event may be a power-on (“cold”) boot of a host computing device, a reset (warm boot) of a host computing device, a reset of a processor within the computing device, and the like.
- security agent 110 is endowed with an authentication protocol, colloquially referred to as the anti-replay exchange (ARE) communication protocol.
- ARE anti-replay exchange
- an example implementation of the ARE protocol includes one or more of a request (REQ), response (RSP), verify/challenge (VFY) and/or authentication (AUTH) feature(s).
- REQ request
- RSP response
- VFY verify/challenge
- AUTH authentication
- ENI 108 identifies and authenticates a remote computing device, also employing at least a subset of the ARE protocol features, whereupon the remote computing device provides ENI 108 with a baseline anti-replay value for use as a starting point for securing subsequent communications with the remote computing device using, e.g., IPSec.
- the resources of the ARE protocol may well be integrated within an enhanced version of IPSec, to facilitate the establishment and exchange of a baseline anti-replay value with an authenticated remote computing device to facilitate at least manageability communications with the remote computing device.
- security agent 110 Once security agent 110 has authenticated a remote computing device and established a baseline anti-replay value, security agent 110 selectively invokes an instance of security communication services, which employs a secured communication protocol for use in at least manageability communications between the computing devices.
- the communication services element of security agent 110 employs the IPSec communications protocol to facilitate at least subsequent manageability communications between the ENI 108 and the manageability services 112 of the remote computing device (e.g., 104 ) via data network 106 until a subsequent initialization event is encountered.
- the ENI 108 Upon receiving an indication of a subsequent initialization event at the host ( 102 ), the ENI 108 again invokes the resources of security agent 110 to identify and authenticate a remote computing device employing the innovative ARE protocol to re-establish secure communications with the manageability services 112 .
- the ARE protocol is an enabling technology that authenticates a remote computing device as a legitimate source of manageability services and establishes a baseline anti-replay value in support of subsequent manageability communications using, for example, the security resources of IPSec.
- the ARE protocol is implemented within security agent 110 of ENI 108 and, in this regard, functions as described herein, even in the absence of an operational OS executing on the host computing device 102 .
- computing device 102 includes key exchange/management features (not particularly denoted), which establish and maintain a “shared secret” between the computing device 102 and computing device 104 .
- key exchange/management features any of a number of secure key exchange management protocol(s) such as, e.g., the Internet Security Association Key Management Protocol (ISAKMP) (IETF RFC2408 (1998)), Oakley Key Distribution Protocol (OKDP), and the like may well be used.
- ISAKMP Internet Security Association Key Management Protocol
- OKDP Oakley Key Distribution Protocol
- the security key (SS) is provided to computing device 102 manually, e.g., by carrying the security key to the client 102 on a removable storage media (floppy disk, CD-ROM, and the like) and installing it using a user interface. Once the security key is established by the host computing device 102 , it is also provided to and stored locally within ENI 108 as well.
- one or more remote computing device(s) such as, e.g., computing device 104 , includes manageability services 112 .
- manageability services 112 comprise one or more applications (tools) that monitor, diagnose and/or manage one or more aspects of a communicatively coupled, e.g., through network 106 , computing device(s).
- manageability services 112 , and/or the computing device 104 include ARE protocol communication resources with which to enable the authentication features described herein.
- manageability service(s) 112 and computing device 104 are intended to represent any of a wide variety of manageability service(s) and computing device(s) known in the art and, as such, need not be further developed herein.
- data network 106 is intended to represent any of a wide variety of circuit and/or packet-switched networks known in the art.
- network 106 may well be a local area network (LAN), a wide area network (WAN), a global inter-networking of multiple networks (e.g., Internet), a communications network, and the like adhering to any of a number of network architecture(s).
- LAN local area network
- WAN wide area network
- Internet Internet
- communications network and the like adhering to any of a number of network architecture(s).
- the enhanced network interface 108 facilitates true manageability services, i.e., without the need of an operational OS executing on the managed client computer.
- the addition of the innovative security agent 112 and the associated anti-replay exchange (ARE) protocol facilitate authentication of a remote computing device supporting establishment of secure manageability communications between the enhanced network interface 108 and the one or more manageability computing device(s) (e.g., 104 ).
- ARE anti-replay exchange
- FIGS. 2-6 For ease of illustration in providing context, and not limitation, the description of FIGS. 2-6 will be presented with continued reference to FIG. 1 .
- FIG. 2 illustrates a block diagram of an example enhanced network interface (ENI) incorporating the teachings of the present invention.
- ENI 108 is depicted comprising control logic 202 , memory 204 , network communication resource(s) 206 , security agent 110 and, optionally, one or more application(s) 208 , each logically coupled as depicted.
- ENI 108 includes a security agent 110 comprising one or more of authentication services 212 , secure communication services 214 , and/or cryptography service(s) 216 .
- ENI 108 in general, and security agent 110 in particular, are merely illustrative of one example implementation of one aspect of the present invention.
- ENI 108 facilitates the identification, authentication and establishment of manageability communication resources with a remote computing device, with or without the need of a functional OS executing on a host computing device.
- security agent 110 may well be implemented in hardware in the ENI 108 .
- enhanced network interface 108 is a network interface device (e.g., a network interface card (NIC)), and the one or more aspects of security agent 110 are implemented in an application specific integrated circuit (ASIC) provisioned on/within the network interface device.
- ASIC application specific integrated circuit
- the one or more elements of security agent 110 are implemented within a media access controller (MAC) of ENI 108 .
- MAC media access controller
- control logic 202 provides the logical interface between the enhanced network interface 202 and a host computing/network device.
- control logic 202 manages one or more aspects of ENI 108 to provide a communication interface from a host computing/network device to computing elements resident on communicatively coupled network(s).
- control logic 202 receives initialization event indications such as, e.g., an interrupt, from a host computing/networking device denoting any of a number of possible initialization event(s).
- control logic 202 selectively invokes the resource(s) of security agent 110 to (re)establish communications with one or more remote manageability devices.
- control logic 202 is intended to represent any of a wide variety of control logic known in the art and, as such, may well be implemented as a microprocessor, a micro-controller, a field-programmable gate array (FPGA), application specific integrated circuit (ASIC), programmable logic device (PLD) and the like. In alternate implementations, control logic 202 is intended to represent content (e.g., software instructions, etc.), which when executed implements the features of control logic 202 described herein.
- content e.g., software instructions, etc.
- Memory 204 is intended to represent any of a wide variety of memory devices and/or systems known in the art. According to one example implementation, memory 204 may well include volatile and non-volatile memory elements. In accordance with one aspect of the present invention, memory 204 includes non-volatile memory element(s) used to maintain manageability information. According to one example implementation, the non-volatile memory elements are comprised of electronically erasable programmable read-only memory (EEPROM) element(s) (not specifically denoted). A graphical illustration of an example memory 204 is presented with reference to FIG. 3 , below.
- EEPROM electronically erasable programmable read-only memory
- FIG. 3 a graphical illustration of an example data structure suitable for use in accordance with the authentication and secured manageability communication features of ENI 108 is generally presented.
- a memory 204 is endowed with a data structure comprising one or more of a security key (or, shared secret (SS)) 302 and an authentication value (PR).
- the security key (SS) is a secret shared between the client 102 (or, the ENI 108 ) and the manageability server 104
- the authentication value is a pseudo-random number generated by authentication services 212 on ENI 108 .
- security agent 110 selectively accesses such elements of the data structure to facilitate secure manageability communications with manageability services 112 .
- the authentication value is established by and maintained within the ENI 108 , it is available independently of a functional operating system executing on the host client 102 . Moreover, in as much as this value is typically generated and saved to memory 204 only once per-initialization event, it does not serve to prematurely age the physical components of memory 204 as may other, conventional, approaches to authentication.
- ENI 108 is depicted comprising network communication resource(s) 206 .
- network communication resource(s) 206 provide the communication resources through which ENI 108 interacts with remote device(s) via a communicatively coupled communication medium, e.g., network 106 .
- network communication resource(s) 206 may well include resources to couple ENI 108 with any of a number of data network architectures, wireless communication architectures, and the like.
- Application(s) 208 are intended to represent an optional feature set of ENI 108 , i.e., the innovative aspects of ENI 108 may well be practiced without the need of such application(s) 208 . Nonetheless, in certain implementations it may be advantageous for ENI 108 to include, for example, a user interface, management tools, key management/exchange application(s) or protocol(s) and the like for use by, for example, an administrator of a host computing device. In this regard, application(s) 208 are intended to represent any of a wide variety of application(s) used to monitor and/or control one or more features of ENI 108 and/or a host computing device.
- security agent 110 is selectively invoked by control logic 202 to authenticate a remote computing device utilizing ARE protocol resources and establish a baseline sequence value to facilitate subsequent communications in general, and secure manageability communications in particular, between the ENI 108 and one or more manageability computing device(s) 104 .
- security agent 110 is depicted comprising one or more of authentication services 212 , secure communication services 214 and cryptography services 216 . Although depicted as a number of disparate elements, those skilled in the art will appreciate that one or more elements 212 - 216 of security agent 110 may well be combined without deviating from the scope and spirit of the present invention.
- security agent 110 identifies whether a security key is available from memory 204 or, from a memory resource of host computing system 102 . If the security key is not resident within ENI 108 , or available from host computing system 102 , the key management service(s)/protocol(s) of the host computing system are invoked to acquire a security key. As above, any of a number of methods and/or protocols may well be employed to acquire and manage a security key, which is then maintained in memory 204 . Once a security key is established, key management services of the host may periodically update the security key, in accordance with the particular method/protocol.
- authentication services 212 includes an innovative authentication protocol, i.e., the anti-replay exchange (ARE) protocol.
- the authentication protocol of authentication services 212 is selectively invoked upon detection of an initialization event in a host computing system (e.g., 102 ) and/or in ENI 108 , to communicate with a remote computing device, similarly endowed with at least the innovative authentication protocol (typically, a manageability server).
- the authentication protocol is employed to authenticate the manageability server to the security agent 110 , as well as to establish a baseline sequence value (anti-replay mechanism), used by, for example, the security communication protocol of secured communication services 214 .
- ENI 108 is depicted comprising secure communication service(s) 214 to facilitate such secure communication.
- secure communication service(s) may well employ any of a number of secure communication protocols such as, e.g., the secure Internet protocol(s) (IPSec, IPv6, etc.) and the like.
- the communication resources of secure communication services 214 e.g., IPSec
- the anti-replay value is an incremental sequence value field of the encapsulating security payload (ESP) header of the IPSec datagram (see, e.g., FIG. 6 ).
- ESP encapsulating security payload
- the cryptography services 216 provide security agent 110 with the ability to encrypt/decrypt elements of the secure communication in accordance with any of a wide variety of known and proprietary cryptography functions.
- cryptography services 216 may well use Data Encryption Standard (DES) compliant cryptography functions such as, e.g., DES, 3-DES, and the like.
- DES Data Encryption Standard
- manageability services 112 is presented comprising control logic 402 , memory 404 including security association (SA) information 406 , one or more manageability tools 408 and network interface(s) 410 , each logically coupled as depicted.
- SA security association
- manageability applications 408 includes ARE protocol resources 412 and may well include one or more of cryptography services 414 and/or secure communication service(s) 416 .
- manageability services 112 is capable of interacting with the authentication services 212 of an ENI 108 using the innovative ARE protocol.
- Control logic 402 controls the overall operation of manageability service(s) 112 .
- control logic 408 selectively invokes one or more manageability applications 408 and associated services ( 412 , 414 and 416 ) to provide a user with a means through which a remote computing device may be monitored and/or controlled.
- control logic 402 is intended to represent executable content (e.g., software) to implement the features of control logic 402 described herein. In alternate implementations, control logic 402 may well be implemented in hardware on, e.g., a network interface device, etc.
- Memory 404 is intended to represent any of a wide variety of memory devices and/or systems known in the art. According to one example implementation, memory 404 represents the memory system of a host computing system (e.g., 104 ) implementing the manageability service(s) 112 . Memory is depicted within the architecture of FIG. 4 to denote the relationship between the security association data structure 406 and the manageability services architecture.
- the security association data structure is established and maintained by control logic 402 , and may comprise a number of entries denoting security and manageability information associated with any of a number of remote (client) computing devices under management.
- An example security associations data structure is presented with reference to FIG. 5 .
- manageability services 112 may well perform manageability functions with multiple client(s) through one or more network(s).
- a data structure of security association information is maintained for at least a subset of actively managed client computing device(s).
- the security association data structure 406 is depicted comprising a security association identifier field 502 , a cryptography definitions field 504 , an authentication value field 506 and a security key field 508 , as shown.
- security association data structure(s) of greater or lesser complexity may well be used without deviating from the teachings of the present invention.
- the security association identifier field 502 denotes a particular identifier for each client and/or managed agent executing on a client.
- the cryptography definitions field 504 denotes the cryptography features (e.g., DES, Blowfish, RSA, etc.) employed to secure the communications between the manageability services and the client (or agent(s) within the client).
- the authentication value field 506 denotes the authentication value (PR) established between ENI 108 and manageability services 112 . In accordance with the teachings of the present invention, when manageability services 112 is interfacing with an ENI 108 , the authentication value in field 506 is merely updated once per client initialization event.
- the security key field 508 denotes the shared secret established between the client and the manageability services 112 .
- the security associations data structure 406 is employed to maintain security information for at least a subset of clients managed by manageability services 112 .
- manageability services 112 is depicted comprising one or more manageability applications 408 .
- manageability services 112 includes ARE protocol resources 412 .
- protocol resources 412 are selectively executable from within manageability applications 408 .
- ARE protocol resources 412 may well be embodied as a protocol stack within, e.g., network interface(s) 410 .
- ARE protocol resources 412 enable manageability services 112 to perform authentication services with ENI 108 .
- manageability applications 408 are intended to represent any of a wide variety of application tools that enable a user to remotely manage one or more client computing device(s).
- applications 408 may well include a user-interface (not particularly denoted), cryptography services 414 and secure communication services 416 .
- the cryptography services DES, Blowfish, RSA, etc.
- secure communication services 416 include a wide variety of secure communication resources (IPSec, etc.) to facilitate secure communication with a remote client computing device.
- Network interface(s) 410 are intended to represent any of a wide variety of network communication resources known in the art, enabling manageability services 112 to interact with client computing devices through a wide variety of network topologies and architectures and, as such need not be further described herein.
- ENI 108 and the manageability services 112 negotiate a baseline sequence value (anti-replay value).
- a baseline sequence value is established, the secure communication resources of, for example, the IPSec protocol may well be employed to secure subsequent communications, using the baseline sequence value as a starting point, from which the standard anti-replay features of the communications protocol can commence.
- An example of an IPSec datagram utilizing the features of the anti-replay value is presented with reference to FIG. 6 , below.
- the datagram 600 is depicted comprising a network header 602 , an internet protocol (IP) header 604 , a secure payload section 606 and, optionally, one or more network footers 608 .
- IP internet protocol
- the payload is secured using an Encapsulating Security Payload (ESP) with anti-replay features.
- ESP Encapsulating Security Payload
- the ESP section includes a number of fields 610 - 618 including a sequence value field 612 .
- the baseline sequence value is employed as a starting point from which the incremental sequence values 612 are used for anti-replay purposes.
- the other fields include a security parameter index 610 , the actual payload 614 , security padding 616 and authentication information 618 .
- FIGS. 7 and 8 wherein the operation of the secure manageability system is developed in greater detail.
- the operation of the secure manageability system will be developed with continued reference to FIGS. 1-6 .
- FIG. 7 is a flow chart of an example method for implementing secure manageability communications, in accordance with the teachings of the present invention.
- the method begins with block 702 where, in the absence of a prior interaction between the enhanced network interface (ENI) 108 and the manageability services 112 , a security key (or, shared secret) (SS) is established between the host computing device 102 and the manageability services 112 .
- host computer 102 employs one of a number of key exchange and management protocols such as, e.g., ISAKMP, to automatically establish and maintain the security key (shared secret) (SS) between the host computer 102 and the manageability computing device 104 .
- ISAKMP shared secret
- manageability services 112 begins to establish an entry associated with ENI 108 in its security associations data structure, storing the security key information.
- computing device 102 stores a representation of the security key locally and, perhaps, within ENI 108 as discussed above.
- key exchange and management may well be performed manually by exchanging the security key between appropriate computing devices using, e.g., a removable storage media (floppy disk, CD, etc.), or it may be manually typed in from the memory of an administrator.
- control logic 202 selectively invokes an instance of authentication services 212 .
- authentication services 212 initiates an authentication protocol to identify and authenticate a remote manageability server. Once authenticated, authentication services 212 employs the authentication protocol (ARE) to negotiate a baseline sequence value with the remote manageability services.
- the baseline sequence value serving as a starting point anti-replay value to facilitate subsequent communications with anti-replay protection.
- a communication flow diagram depicting the details of an example negotiation process used to establish the baseline sequence value is presented in greater detail below, with reference to FIG. 8 .
- ENI 108 facilitates secure manageability communications using the baseline sequence value established in block 704 as a starting point for the anti-replay features of the communications protocol (e.g., IPSec).
- security agent 110 of ENI 108 selectively invokes an instance of secure communications services 214 to facilitate subsequent communications between ENI 108 and the manageability services 112 of the authenticated management server 104 until a subsequent initialization event is identified, in block 710 .
- security agent 110 selectively invokes an instance of authentication services 212 to (re)authenticate a manageability server and establish a baseline sequence value from which to protect subsequent communications from replay attacks.
- FIG. 8 an example communication flow diagram for authenticating a remote manageability device and establishing a baseline sequence value (block 704 of FIG. 7 ) is presented in accordance with the teachings of the present invention.
- the process 704 begins with block 802 at the ENI 108 where, upon receiving an indication of an initialization event, authentication services 212 generates and issues a request for a session key, e.g., REQ.
- a session key e.g., REQ.
- the ARE request is issued in plain text (e.g., not encrypted).
- manageability services on receipt of the ARE request, manageability services generates a session key (TR), encrypts the session key and generates an ARE response (RSP) to the request.
- the session key (TR) is a substantially random number generated by control logic 402 .
- Control logic 402 then implements an appropriate one of cryptographic services 414 to encrypt the session key (TR) using the security key (SS).
- the session key is encrypted (TRe), it is communicated to ENI 108 using an ARE response, e.g., RSP(TRe).
- ARE response e.g., RSP(TRe).
- authentication services 212 decrypts the encrypted session key (TRe), employing an appropriate one or more of cryptographic services 216 to recover the session key (TR).
- TRe the decryption function
- authentication services 212 of security agent 110 encrypts the authentication value and issues an authentication challenge (e.g., VFY) to verify the legitimacy of the remote computing device.
- the authentication value is encrypted with the session key session key (TR) received from block 804 above.
- manageability services 112 receives the authentication challenge and decrypts the authentication value (PRe), as expressed in equation 5, below.
- PRe the authentication value
- PRe the authentication value
- control logic 202 updates the security association data structure 406 with the authentication value information associated with ENI 108 .
- control logic 202 generates and encrypts an authentication response and an encrypted baseline sequence value, each of which are expressed mathematically in equations 6 and 7, below.
- Auth F e ( TR,PR ) (6)
- the authentication is generated using the original data as the key and the session key as the data of the authentication response (Auth).
- an encrypted baseline sequence value is generated by taking the IPSec anti-replay field and encrypting it using the session key (TR).
- This authentication response (AUTH) and encrypted baseline sequence values are communicated to the ENI 108 , in accordance with the ARE communication protocol.
- authentication services 212 receives and decrypts the authentication response and the baseline sequence value received from manageability services 112 . That is, authentication services 212 decrypts each of the AUTH and ARFe responses and checks the session key against prior responses to confirm that the responding computing device is a legitimate manageability server, before adopting the baseline sequence value as a legitimate sequence value for use as a starting point for protection against replay attacks.
- ENI 108 may well issue a confirmation of successful authentication to the remote manageability services 112 .
- FIG. 9 is a block diagram of an example computing device suitable for use as a computing device in a secure manageability system introduced herein. It is to be appreciated that computing device 900 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the media processing system. Neither should the computing device 900 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing device 900 .
- the secure manageability system introduced above is operational with numerous other general purpose or special purpose computing system environments or configurations.
- Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the secure manageability system include, but are not limited to, personal computers, server computers, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
- aspects of the system, protocol and related methods for providing secure manageability may well be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
- program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
- the media processing system may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
- program modules may be located in both local and remote computer storage media including memory storage devices.
- computing system 200 comprising one or more processors or processing units 902 , a system memory 904 , and a bus that couples various system components including the system memory 904 to the processor 902 .
- the bus is intended to represent one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
- bus architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) buss also known as Mezzanine bus.
- Computing device 900 typically includes a variety of computer readable media. Such media may be any available media that is locally and/or remotely accessible by computer 900 , and it includes both volatile and non-volatile media, removable and non-removable media.
- the system memory 904 includes computer readable media in the form of volatile, such as random access memory (RAM) 918 , and/or non-volatile memory, such as read only memory (ROM) 920 .
- RAM random access memory
- ROM read only memory
- a basic input/output system (BIOS) 924 containing the basic routines that help to transfer information between elements within computer 900 , such as during start-up, is stored in ROM 920 .
- BIOS basic input/output system
- RAM 918 typically contains data and/or program modules that are immediately accessible to and/or presently be operated on by processing unit(s) 902 .
- Computer 200 may further include other removable/non-removable, volatile/non-volatile computer storage media.
- FIG. 9 illustrates mass storage device(s) 906 for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Examples of such media include a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), an optical disk drive for reading from or writing to a removable, and a non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media.
- the mass storage device(s) are depicted coupled with other system elements via one or more bus(ses).
- the drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules, and other data for computer 900 .
- the exemplary environment described herein employs magnetic media, it should be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as cassettes, flash memory cards, digital video disks, random access memories (RAMs), read only memories (ROM), and the like, may also be used in the exemplary operating environment.
- a number of program modules may be stored on the mass storage device(s) 906 including, by way of example and not limitation, an operating system 914 , one or more application programs 912 (e.g., manageability service(s), ARE protocol stack, crypto functions, secure communication services, and the like), and program data 916 .
- an operating system 914 one or more application programs 912 (e.g., manageability service(s), ARE protocol stack, crypto functions, secure communication services, and the like), and program data 916 .
- a user may interface with computer 900 through input devices 926 such as keyboard and pointing device (such as a “mouse”).
- input devices 926 such as keyboard and pointing device (such as a “mouse”).
- Other input devices may include an audio/video input device(s), a microphone, joystick, game pad, satellite dish, serial port, scanner, or the like (not shown).
- input interface(s) that is(are) coupled to any of a number of interface and bus structures, such as a parallel port, game port, or a universal serial bus (USB).
- computing device 900 is also depicted comprising output device(s) 928 .
- Such output device(s) are communicatively coupled with other system 900 elements through an interface(s) to one or more appropriate bus structure(s).
- Examples of such output device(s) include, for example, a monitor or other type of display device coupled to an appropriate bus via an interface, such as a video adapter.
- personal computers typically include other peripheral output devices (not shown), such as speakers and printers, which may be connected through an output peripheral interface.
- Computer 900 may operate in a networked environment using logical connections to one or more remote computers through network interface(s) 910 .
- network interface(s) 910 may well include the enhanced network interface 108 , providing computing device 900 with the secure manageability communication features described herein.
- the communicatively coupled, remote computer may include many or all of the elements and features described herein relative to computer 900 including, for example, the enhanced network interface 108 of network interface(s) 910 , manageability service(s) 112 of application(s) 912 , and the like.
- network interface(s) 910 may also be endowed with the communication resources and physical interface(s) necessary to interface computing device 900 with one or more of a local area network (LAN), and a general wide area network (WAN).
- LAN local area network
- WAN wide area network
- Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet.
- program modules depicted relative to the computing device 900 may be stored in a remote memory storage device communicatively coupled with the computing device 900 through a network and an associated network interface 910 .
- FIG. 10 is a block diagram of an example storage medium comprising a plurality of executable instructions which, when executed, cause an accessing machine to implement one or more aspects of the innovative enhanced network interface 108 and/or manageability services 112 of the present invention, in accordance with an alternate embodiment of the present invention.
- the present invention includes various steps.
- the steps of the present invention may be performed by hardware components, such as those shown in FIGS. 1-5 , or may be embodied in machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor or logic circuits programmed with the instructions to perform the steps.
- the steps may be performed by a combination of hardware and software.
- the invention has been described in the context of a network interface card, those skilled in the art will appreciate that such functionality may well be embodied in any of number of alternate embodiments such as, for example, integrated within a computing device, and is readily adaptible to wireless Ethernet implementations as well as the wired environment described herein.
- the present invention may be provided as a computer program product which may include a machine-readable medium having stored thereon instructions which may be used to program a computer (or other electronic devices) to perform a process according to the present invention.
- the machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnet or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing electronic instructions.
- the present invention may also be downloaded as a computer program product, wherein the program may be transferred from a remote computer to a requesting computer by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection).
- a communication link e.g., a modem or network connection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
TRe=F e(TR,SS) (1)
where:
-
- TRe is the encrypted session key (TR);
- SS is the shared secret; and
- Fe is the cryptographic function used to encrypt the session key.
TR=F d(TRe,SS) (2)
where:
-
- TRe is the encrypted session key (TR);
- SS is the shared secret; and
- Fd is an appropriate cryptographic function used to decrypt the session key.
PRnext=F e(PR,SS) (3)
where:
-
- PRnext is the anti-replay value used for a subsequent computing session;
- SS is the shared secret; and
- Fe is the cryptographic function used to encrypt the anti-replay value.
PRe=F e(PR,TR) (4)
where:
-
- PRe is the encrypted anti-replay value PR;
- TR is the session key; and
- Fe is the cryptographic function used to encrypt the anti-replay value.
PR=F d(PRe,TR) (5)
where:
-
- PRe is the encrypted anti-replay value PR;
- TR is the session key; and
- Fd is the cryptographic function used to decrypt the anti-replay value.
Auth=F e(TR,PR) (6)
where:
-
- Auth is the session key encrypted with the anti-replay value PR;
- TR is the session key; and
- Fe is the cryptographic function used to encrypt the anti-replay value.
ARFe=F e(ARF,TR) (7)
where: - ARF is the baseline sequence value generated by, e.g., IPSec resources;
- TR is the session key; and
- hd e is the cryptographic function used to encrypt the anti-replay value.
TR=F d(AUTH,PR) (8)
where:
-
- Auth is the session key encrypted with the anti-replay value PR;
- TR is the session key; and
- Fd is the cryptographic function used to decrypt the Authentication value.
ARF=F d(ARFe,TR) (9)
where: - ARF is the anti-replay field;
- TR is the session key; and
- Fd is the cryptographic function used to decrypt the anti-replay field.
Claims (45)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/113,812 US7370111B2 (en) | 2002-03-27 | 2002-03-27 | System, protocol and related methods for providing secure manageability |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/113,812 US7370111B2 (en) | 2002-03-27 | 2002-03-27 | System, protocol and related methods for providing secure manageability |
Publications (2)
Publication Number | Publication Date |
---|---|
US20030187999A1 US20030187999A1 (en) | 2003-10-02 |
US7370111B2 true US7370111B2 (en) | 2008-05-06 |
Family
ID=28453686
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/113,812 Active 2024-12-11 US7370111B2 (en) | 2002-03-27 | 2002-03-27 | System, protocol and related methods for providing secure manageability |
Country Status (1)
Country | Link |
---|---|
US (1) | US7370111B2 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050005093A1 (en) * | 2003-07-01 | 2005-01-06 | Andrew Bartels | Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications |
US20080301465A1 (en) * | 2007-06-04 | 2008-12-04 | Microsoft Corporation | Protection of software transmitted over an unprotected interface |
US20090094372A1 (en) * | 2007-10-05 | 2009-04-09 | Nyang Daehun | Secret user session managing method and system under web environment, recording medium recorded program executing it |
US7624263B1 (en) * | 2004-09-21 | 2009-11-24 | Advanced Micro Devices, Inc. | Security association table lookup architecture and method of operation |
WO2009145773A1 (en) * | 2008-05-29 | 2009-12-03 | Hewlett-Packard Development Company, L.P. | Providing authenticated communications to a replaceable printer component |
US20100100733A1 (en) * | 2008-10-17 | 2010-04-22 | Dell Products L.P. | System and Method for Secure Provisioning of an Information Handling System |
US9979611B2 (en) | 2009-06-17 | 2018-05-22 | Constantin Staykoff | Client-server system for network services and applications for mobile telecommunications terminals |
US10015267B2 (en) | 2008-09-02 | 2018-07-03 | Constantin Staykoff | Generic multichannel center for network applications and services |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ATE267429T1 (en) * | 2000-12-22 | 2004-06-15 | Nagravision Sa | COMPLIANCE TAX PROCEDURES |
US20050086465A1 (en) * | 2003-10-16 | 2005-04-21 | Cisco Technology, Inc. | System and method for protecting network management frames |
JP5094543B2 (en) * | 2008-05-15 | 2012-12-12 | キヤノン株式会社 | Information processing apparatus, control method, and program |
US8156318B2 (en) * | 2008-06-04 | 2012-04-10 | Intel Corporation | Storing a device management encryption key in a network interface controller |
FR2935584B1 (en) * | 2008-09-02 | 2013-03-29 | Opencode Systmes Ood | USSD CENTER GENERIC OF NETWORK APPLICATIONS AND SERVICES |
FR2947130B1 (en) * | 2009-06-17 | 2014-02-21 | Opencode Systmes Ood | INTELLIGENT GENERIC USSD CLIENT MODULE ONBOARD IN A TELECOMMUNICATIONS TERMINAL |
WO2012066471A1 (en) | 2010-11-19 | 2012-05-24 | Nagravision S.A. | Method to detect cloned software |
EP3471043B1 (en) | 2012-04-17 | 2020-07-01 | INTEL Corporation | Trusted service interaction |
WO2016118523A1 (en) | 2015-01-19 | 2016-07-28 | InAuth, Inc. | Systems and methods for trusted path secure communication |
US20170187752A1 (en) * | 2015-12-24 | 2017-06-29 | Steffen SCHULZ | Remote attestation and enforcement of hardware security policy |
US10608992B2 (en) * | 2016-02-26 | 2020-03-31 | Microsoft Technology Licensing, Llc | Hybrid hardware-software distributed threat analysis |
US11387978B2 (en) * | 2019-09-23 | 2022-07-12 | Live Nation Entertainment, Inc. | Systems and methods for securing access rights to resources using cryptography and the blockchain |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5001755A (en) | 1988-04-19 | 1991-03-19 | Vindicator Corporation | Security system network |
US5241599A (en) * | 1991-10-02 | 1993-08-31 | At&T Bell Laboratories | Cryptographic protocol for secure communications |
US5337313A (en) | 1992-11-12 | 1994-08-09 | Motorola, Inc. | Method and apparatus for preserving packet squencing in a packet transmission system |
US5646996A (en) | 1993-11-05 | 1997-07-08 | United Technologies Automotive, Inc. | Automatic resynchronization of transmitter in the event of corrupted memory |
US6247059B1 (en) | 1997-09-30 | 2001-06-12 | Compaq Computer Company | Transaction state broadcast method using a two-stage multicast in a multiple processor cluster |
US20010020275A1 (en) | 2000-03-04 | 2001-09-06 | Arkko Jari | Communication node, communication network and method of recovering from a temporary failure of a node |
US6301681B1 (en) | 1998-01-07 | 2001-10-09 | Pocketmail Inc. | Messaging communication protocol |
US20010052072A1 (en) | 2000-01-25 | 2001-12-13 | Stefan Jung | Encryption of payload on narrow-band IP links |
US6339796B1 (en) * | 1998-10-29 | 2002-01-15 | International Business Machines Corporation | System for logical connection resynchronization |
US20020052200A1 (en) * | 2000-09-11 | 2002-05-02 | Jari Arkko | Secured map messages for telecommunications networks |
US6466800B1 (en) | 1999-11-19 | 2002-10-15 | Siemens Information And Communication Mobile, Llc | Method and system for a wireless communication system incorporating channel selection algorithm for 2.4 GHz direct sequence spread spectrum cordless telephone system |
US6487176B1 (en) | 1997-11-19 | 2002-11-26 | Deutsche Telekom Ag | Measuring method and measuring device for data communication networks |
US6502135B1 (en) | 1998-10-30 | 2002-12-31 | Science Applications International Corporation | Agile network protocol for secure communications with assured system availability |
US20030002676A1 (en) * | 2001-06-29 | 2003-01-02 | Stachura Thomas L. | Method and apparatus to secure network communications |
US20030093680A1 (en) * | 2001-11-13 | 2003-05-15 | International Business Machines Corporation | Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities |
US20030206559A1 (en) | 2000-04-07 | 2003-11-06 | Trachewsky Jason Alexander | Method of determining a start of a transmitted frame in a frame-based communications network |
US6697857B1 (en) | 2000-06-09 | 2004-02-24 | Microsoft Corporation | Centralized deployment of IPSec policy information |
US6810259B1 (en) | 1999-12-16 | 2004-10-26 | Utstarcom Inc. | Location update protocol |
-
2002
- 2002-03-27 US US10/113,812 patent/US7370111B2/en active Active
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5001755A (en) | 1988-04-19 | 1991-03-19 | Vindicator Corporation | Security system network |
US5241599A (en) * | 1991-10-02 | 1993-08-31 | At&T Bell Laboratories | Cryptographic protocol for secure communications |
US5337313A (en) | 1992-11-12 | 1994-08-09 | Motorola, Inc. | Method and apparatus for preserving packet squencing in a packet transmission system |
US5646996A (en) | 1993-11-05 | 1997-07-08 | United Technologies Automotive, Inc. | Automatic resynchronization of transmitter in the event of corrupted memory |
US6247059B1 (en) | 1997-09-30 | 2001-06-12 | Compaq Computer Company | Transaction state broadcast method using a two-stage multicast in a multiple processor cluster |
US6487176B1 (en) | 1997-11-19 | 2002-11-26 | Deutsche Telekom Ag | Measuring method and measuring device for data communication networks |
US6301681B1 (en) | 1998-01-07 | 2001-10-09 | Pocketmail Inc. | Messaging communication protocol |
US6339796B1 (en) * | 1998-10-29 | 2002-01-15 | International Business Machines Corporation | System for logical connection resynchronization |
US6502135B1 (en) | 1998-10-30 | 2002-12-31 | Science Applications International Corporation | Agile network protocol for secure communications with assured system availability |
US6466800B1 (en) | 1999-11-19 | 2002-10-15 | Siemens Information And Communication Mobile, Llc | Method and system for a wireless communication system incorporating channel selection algorithm for 2.4 GHz direct sequence spread spectrum cordless telephone system |
US6810259B1 (en) | 1999-12-16 | 2004-10-26 | Utstarcom Inc. | Location update protocol |
US20010052072A1 (en) | 2000-01-25 | 2001-12-13 | Stefan Jung | Encryption of payload on narrow-band IP links |
US20010020275A1 (en) | 2000-03-04 | 2001-09-06 | Arkko Jari | Communication node, communication network and method of recovering from a temporary failure of a node |
US20030206559A1 (en) | 2000-04-07 | 2003-11-06 | Trachewsky Jason Alexander | Method of determining a start of a transmitted frame in a frame-based communications network |
US6697857B1 (en) | 2000-06-09 | 2004-02-24 | Microsoft Corporation | Centralized deployment of IPSec policy information |
US20020052200A1 (en) * | 2000-09-11 | 2002-05-02 | Jari Arkko | Secured map messages for telecommunications networks |
US20030002676A1 (en) * | 2001-06-29 | 2003-01-02 | Stachura Thomas L. | Method and apparatus to secure network communications |
US20030093680A1 (en) * | 2001-11-13 | 2003-05-15 | International Business Machines Corporation | Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities |
Non-Patent Citations (15)
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100058052A1 (en) * | 2003-07-01 | 2010-03-04 | Andrew Bartels | Methods, systems and devices for securing supervisory control and data acquisition (scada) communications |
US20050005093A1 (en) * | 2003-07-01 | 2005-01-06 | Andrew Bartels | Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications |
US7624263B1 (en) * | 2004-09-21 | 2009-11-24 | Advanced Micro Devices, Inc. | Security association table lookup architecture and method of operation |
US20080301465A1 (en) * | 2007-06-04 | 2008-12-04 | Microsoft Corporation | Protection of software transmitted over an unprotected interface |
US20090094372A1 (en) * | 2007-10-05 | 2009-04-09 | Nyang Daehun | Secret user session managing method and system under web environment, recording medium recorded program executing it |
US9875365B2 (en) | 2008-05-29 | 2018-01-23 | Hewlett-Packard Development Company, L.P. | Providing authenticated communications to a replaceable printer component |
WO2009145773A1 (en) * | 2008-05-29 | 2009-12-03 | Hewlett-Packard Development Company, L.P. | Providing authenticated communications to a replaceable printer component |
US20110075189A1 (en) * | 2008-05-29 | 2011-03-31 | Jacob Grundtvig Refstrup | Providing Authenticated Communications to a Replaceable Printer Component |
US10015267B2 (en) | 2008-09-02 | 2018-07-03 | Constantin Staykoff | Generic multichannel center for network applications and services |
US20100100733A1 (en) * | 2008-10-17 | 2010-04-22 | Dell Products L.P. | System and Method for Secure Provisioning of an Information Handling System |
US9660816B2 (en) | 2008-10-17 | 2017-05-23 | Dell Products L.P. | System and method for secure provisioning of an information handling system |
US9166798B2 (en) | 2008-10-17 | 2015-10-20 | Dell Products L.P. | System and method for secure provisioning of an information handling system |
US8589682B2 (en) * | 2008-10-17 | 2013-11-19 | Dell Products L.P. | System and method for secure provisioning of an information handling system |
US9979611B2 (en) | 2009-06-17 | 2018-05-22 | Constantin Staykoff | Client-server system for network services and applications for mobile telecommunications terminals |
Also Published As
Publication number | Publication date |
---|---|
US20030187999A1 (en) | 2003-10-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7370111B2 (en) | System, protocol and related methods for providing secure manageability | |
US7299354B2 (en) | Method to authenticate clients and hosts to provide secure network boot | |
EP2105819B1 (en) | Efficient and secure authentication of computing systems | |
JP4222834B2 (en) | Method and apparatus for storing a cryptographic key that authenticates a key server by obtaining and securely distributing the stored key | |
US7849318B2 (en) | Method for session security | |
JP4459703B2 (en) | Secure communication with keyboard or related devices | |
US8438628B2 (en) | Method and apparatus for split-terminating a secure network connection, with client authentication | |
US6874089B2 (en) | System, method and computer program product for guaranteeing electronic transactions | |
US9055047B2 (en) | Method and device for negotiating encryption information | |
EP2060056B1 (en) | Method and apparatus for transmitting data using authentication | |
US8904178B2 (en) | System and method for secure remote access | |
KR100966398B1 (en) | Method for provisioning of credentials and software images in secure network environments | |
US20050149732A1 (en) | Use of static Diffie-Hellman key with IPSec for authentication | |
US20060005239A1 (en) | Inspected secure communication protocol | |
WO2019109852A1 (en) | Data transmission method and system | |
CA2503271A1 (en) | A method and system for recovering password protected private data via a communication network without exposing the private data | |
EP3613195B1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
EP3461097A1 (en) | Encrypted content detection method and apparatus | |
US20120124383A1 (en) | System and method for protecting network resources from denial of service attacks | |
US8112629B2 (en) | Stateless challenge-response protocol | |
Kuo et al. | Comparison studies between pre-shared and public key exchange mechanisms for transport layer security | |
CN113950802A (en) | Gateway apparatus and method for performing site-to-site communication | |
JP2002344443A (en) | Communication system and security association disconnection/continuing method | |
US8356175B2 (en) | Methods and apparatus to perform associated security protocol extensions | |
Schonwalder et al. | Session resumption for the secure shell protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTEL CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CALLUM, ROY;REEL/FRAME:012950/0605 Effective date: 20020401 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
REMI | Maintenance fee reminder mailed | ||
AS | Assignment |
Owner name: BEIJING XIAOMI MOBILE SOFTWARE CO., LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTEL CORPORATION;REEL/FRAME:037733/0440 Effective date: 20160204 |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
SULP | Surcharge for late payment |
Year of fee payment: 7 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |